We can’t control what people say to us – we can only control our response.
Risk and uncertainty are much the same I suppose…
The original version of the following article has been one of the most popular here at my blog.
Like other popular posts, such as this comparison of traditional risk management and ERM, it’s important to take a step back and re-examine this topic for two main reasons: changes in perspective since the article was first published and the blog‘s considerable growth has resulted in more resources to support the sections below.
The core theme of this piece from the beginning has really been about answering one basic question. You, your team, executives, and risk owners have done the work of identifying, assessing, and analyzing risks and opportunities, so the question that naturally comes up is – now what?
In some cases, reducing or avoiding risks is the best choice, especially if the alternative means breaking the law or someone getting hurt or killed. It’s a common misnomer that risk management is all about reducing harm or averting failure, but as we’ll get into more later, this isn’t always the case and can, in fact, lead to failure.
The first four response strategies below are very traditional in nature and, as Hans Læssøe discusses in his book Prepare to Dare on the different levels of risk management, well established.
A variety of factors internal to your organization will drive which of the following options management chooses. Risk appetite is one of several tools for helping you determine the right response strategy, but contrary to the original version of this article, it is by no means the only or always the best as this piece from Norman Marks explains.
Remember too that your risk response strategy can change over time as conditions warrant, which is why consistent monitoring of risks and the broader environment is so important.
(To learn more check out Risk Monitoring: 6 Considerations for Understanding this Make or Break Moment for ERM.)
Without further ado, below are 5 potential risk response strategies to consider for handling strategic, operational, legal, or other risks and opportunities.
Risk Response Strategy #1 – Avoid
As the name implies, quitting a particular action or opting to not start it at all is an option for responding to a risk. When you choose to avoid a risk, you are cutting off any possibility of it posing a threat to your enterprise. Like I discuss in the intro section above, executives and managers will choose this option for any risks that could get the company in major legal trouble or lead to someone getting killed.
A recent example of this is the shift to working from home to prevent employees from contracting COVID-19. Most organizations decided to avoid the risk of their employees getting sick. Other examples of this option can include halting the production of a particular product, selling a division of the company, or deciding against an expansion.
Now on the surface, this may seem like an attractive option, but it’s not always practical or advisable as we’ll explain in risk response strategy #5 below. However, if you’re absolutely certain there is zero tolerance for the risk in question, then the avoid option is the appropriate risk response.
To learn more, check out What to Do When Risks are Unavoidable.
Risk response strategy #2 – Reduce
What this means in ERM speak is to take steps to reduce the likelihood or impact of a loss. If the risk is just slightly above your appetite and tolerance level, then reduction is a reasonable strategy for bringing it down to within acceptable limits.
On a personal level, we all employ risk reduction in one way or another in our daily lives. When we get in our car to go somewhere, we put on a seatbelt to reduce the potential impact of an accident.
Notice though that this action does not reduce the chance of an accident occurring – if that is your goal, then you would need to just stay home.
In business, spending too much to reduce a risk can be a waste of time and resources…to illustrate, I’m going to go back to my first job as a cashier at a grocery store.
A big responsibility of a cashier is to make sure your drawer balances at the end of each shift. At my store, we were allowed some latitude, specifically an “over/under” of up to $3; meaning, if my drawer was missing $1.80, the store would just write it off. It was somewhat of a relief to know I had this cushion, but if it happened all of the time, the store would have reason to be suspicious.
Now, let’s say there was an over/under latitude of only 2 cents…
Would it make sense to pay someone their hourly rate to chase down 50 cents or a dollar or would it be more efficient to just accept that you lost a dollar?
As you should be able to see by this example, spending too much time on trivial matters can be wasteful, so keep that in mind when choosing this risk response.
To learn more, check out Risk Reduction – A Response Strategy for Decreasing the Impact of Potential Risk Events.
Risk response strategy #3 – Transfer
Unlike options 1 and 2, this option does not eliminate or reduce the chances of it occurring, but instead delegates or transfers responsibility of the risk to a third-party. Purchasing insurance for your home doesn’t reduce or eliminate damage from a storm, but it does provide a financial safety net in the event damages do occur.
Besides insurance, another common method for transferring risk is to include indemnification clauses in contractual arrangements, which are commonly found in construction and service job contracts, rental contracts, purchase order agreements, lease agreements, consulting agreements and more. The point of both these and insurance policies is to make you whole in the event a covered peril (or event) occurs.
One important point to remember with this option – it only kicks in post-event, and as we’ve discussed in many articles since the original article, intangible risks like reputation and talent cannot be transferred to a third-party.
Think of it this way: You can outsource a process, but you cannot outsource a risk.
In the end, when managing risks to the enterprise, the goal of risk transfer is to ultimately reduce the (mostly financial) impact should something materialize. The company is therefore willing to take a gamble on the risk occurring.
To learn more, visit Risk Transfer – A Response Strategy for Limiting Damage from a Negative Event.
Risk response strategy #4 – Accept
There will likely be other risks outside your tolerance where one of the other response options will not be a good fit since the probability and/or the impact is so low that it does not make sense to expend resources to avoid, transfer, or reduce the risk.
In cases like this, you can simply accept the risk as-is and do nothing…yes, you read that right, you can do nothing! In other words, risk acceptance is a passive decision since it requires no action.
Other risks that can fall into this category include emerging risks, or ones that may pose some sort of threat in the distant future.
If you want to get technical, all risks except ones you completely avoid can fall into the accept category.
If you reduce a risk, you’re still accepting the part within your appetite. If you transfer the risk via insurance, you still accept part of the risk as it relates to your monthly premiums and deductible/retention. Only when a covered event exceeds this amount does your insurance take over to compensate you for the losses.
Therefore, unless you’re avoiding the risk altogether, you are using a combination of the reduce (mitigate), transfer, and/or accept risk response strategy by default.
To learn more, read One Tool for Informed and Responsible Risk Acceptance.
Risk response strategy #5 – Take risks
Here’s where things get more interesting. Up until now, we’ve really be looking at risks as a negative and different response strategies for helping your company avert failure.
But as we’ve discussed in other posts, especially over the last 1-2 years, companies who simply focus on minimizing losses are putting themselves at an extreme disadvantage over more agile competitors, risking (you guessed it!) failure.
It’s always been true, but it’s even more so today – in order to succeed, you have to take risks.
Let’s say you have a goal and have identified the risks to achieving it. However, some of these risks exceed your company’s pre-determined appetite. If you were strictly using risk appetite as your metric, the response may be to avoid the risk altogether, but if you do this, you will not accomplish the goal.
In this situation, decision-makers could decide to take on the risks – note that this is not the same as the “accept” strategy above because risk acceptance is passive in nature.
In this situation, you are actively facing the risk head on by making preparations. Having a game plan does not reduce the severity or likelihood of this event occurring, it simply makes the organization’s actions post-risk smoother and more integrated.
Take a commonly discussed risk these days, cyber.
Because of all the scary headlines out there, it is natural to reach the conclusion to reduce, transfer, and avoid this risk as much as possible. However, as Norman Marks discusses in his book Making Business Sense of Technology Risk, you have to balance these issues against your goals and objectives.
For example, your company may want to develop an app as part of a multi-year initiative to modernize services (Focused on opportunity!). You know there are risks of a data breach and so on, but executives decide to push forward anyway because, if you do not develop the app, the chances of being displaced by a competitor who is willing to take this risk is quite high.
Several tools are available, both qualitative and quantitative, for helping inform decision-makers on the level of risk they are taking and the likelihood of success. These can range from root cause and scenario analysis to Monte Carlo simulation, sophisticated modeling, and more.
This response represents a more advanced level of risk or uncertainty management that forward-thinking companies are embracing to build a competitive advantage, or as Hans Læssøe explains in his book Prepare to Dare:
All companies take risks in pursuit of their strategic aspirations. Deploying this enhanced level [of] risk management, the risk taking becomes intelligent and based on identified and validly assessed risks and opportunities – based on a balanced utilization of the risk tolerance.
The former Formula One and Indy 500 race driver Mario Andretti stated ‘If everything is under control, you are moving too slow.’ This is true in business as well, and having an advanced level risk management in place enables moving faster.
Besides creating a competitive advantage, risk professionals who pursue this level of uncertainty management will become increasingly valuable to the organization in the years to come as many basic risk management tasks are automated.
Regardless which risk response strategy you choose, monitoring will be a key part of ensuring you stay on track.
As we discuss in the intro, a risk response can change over time, which is even more true since this article was first written. Consistent, systematic risk monitoring is crucial for understanding which response strategies you should change and when.
How does your company choose its risk response strategies? Do you take a more traditional risk-averse approach or the opposite?
The original version of this article has generated a lot of discussion since it was first published. I hope you find this updated version helpful in understanding changes in risk management and how it can be used a tool for better decision-making. To share your perspective, please feel free to leave a comment below or join the conversation on LinkedIn.
And to discuss your company’s methods for understanding risks and determining the best response strategy, don’t hesitate to reach out to me to discuss your situation today!
Featured image courtesy of Stuart Seeger via Wikimedia Commons